Malware Brief: Crafty phishing, BYOVD and Android RATs

The malware news keeps on coming. Today we’ll look briefly at an attack that leverages Meta platforms to deliver RAT malware to Android systems; an attack technique called bring-your-own-vulnerable driver that’s targeting Windows users; and an advanced, multistage phishing technique used by a well-known Russia-based threat group.

Malvertising on Meta targets Android systems

Type: RAT, Spyware

Malware: Brokewell

Spread: Malvertising

Vector: Meta environments

Target: Android systems

Active since: July 2024

Threat actors are reported to be using malvertising on Meta platforms to spread fake software. Ads promise a free TradingView Premium app, but instead the victim installs a version of the spyware and remote access Trojan (RAT) Brokewell.

As detailed in this BleepingComputer article, Brokewell uses a variety of means to provide a remote-access backdoor while recording activity and seeking out and stealing sensitive data, particularly focusing on financial and cryptocurrency data.

Bring-your-own-vulnerable-driver (BYOVD)

Type: RAT

Malware: ValleyRAT

Spread: Vulnerable Microsoft-signed WatchDog Antimalware drivers

Threat group: Silver Fox

Target: Microsoft Windows 7 through 11

As reported in SC Media, the cybercriminal group that calls itself Silver Fox has been using a BYOVD attack technique to infect Windows systems with the ValleyRAT remote access Trojan malware.

BYOVD involves deliberately loading a driver that has a known vulnerability, in this case a Microsoft-signed WatchDog Antimalware driver (or a Zemana driver for Windows 7 machines). These drivers were not listed in Microsoft’s Vulnerable Driver Blocklist.

Because drivers are installed with 0-level access to resources, attackers can then install the ValleyRAT remote access Trojan undetected, giving themselves access to and control over the infected system.

For a thorough technical analysis, check out this article in The Hacker News.

BlackBasta uses advanced phishing to drop malware

Type: Various

Malware: Zbot, DarkGate, custom malware

Spread: Innovative phishing techniques

Late last year, the threat group Black Basta was observed to be using a novel phishing technique to lure victims into installing malware on their systems.

First, the targets are email-bombed, creating the impression of a cyberattack of some type in progress. Then, attackers contact the target via Microsoft Teams, claiming to be members of the target company’s IT help desk.

Once the target accepts the chat, they are tricked into loading a variety of malware threats. Typically, a credential harvester first scrapes the user’s credentials, and then the malware can be used to install a loader such as Zbot, Zloader or DarkGate.